| Computer | File Server Activity | **In the audited environment** - For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security → Auditing settings for the audited shared folders: <br />- List Folder / Read Data (Files only): _"Success"_ and _"Fail"_<br />- List Folder / Read Data (This folder, subfolders and files): _"Fail"_<br />- Create Files / Write Data\* : _"Success"_ and _"Fail"_<br />- Create Folders / Append Data\* : _"Success"_ and _"Fail"_ <br />- Write Extended Attributes\* : _"Success"_ and _"Fail"_<br />- Delete Subfolders and Files\* : _"Success"_ and _"Fail"_<br />- Delete\* : _"Success"_ and _"Fail"_<br />- Change Permissions\* : _"Success"_ and _"Fail"_<br />- Take Ownership\* : _"Success"_ and _"Fail"_<br />- Select _"Fail_" only if you want to track failure events, it is not required for success events monitoring. If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with \* and set it to _"Success"_ (Apply onto: This folder, subfolders and files).<br /><br />The following Advanced audit policy settings must be configured:<br />- The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.<br />- Depending on your OS version, configure the categories as follows:<br /> - Windows Server 2008:<br /> - Object Access; Audit File Share _"Success"_ ; Audit File System _"Success"_ and _"Failure"_ ; Audit Handle Manipulation _"Success"_ and _"Failure"_ ; Logon/Logoff ; Logon _"Success"_ ; Logoff _"Success"_ ;<br /> - Policy Change: Audit Audit Policy Change: _"Success"_<br /> - System: Security State Change: _"Success"_<br /> - Windows Server 2008 R2 / Windows 7 and above<br /> - Object Access:<br /> - Audit File Share: _"Success"_<br /> - Audit File System: _"Success"_ and _"Failure"_<br /> - Audit Handle Manipulation: _"Success"_ and _"Failure"_<br /> - Audit Detailed file share: _"Failure"_<br /> - Logon/Logoff:<br /> - Logon: _"Success"_<br /> - Logoff: _"Success"_<br /> - Policy Change:<br /> - Audit Audit Policy Change: _"Success"_<br /> - System:<br /> - Security State Change: _"Success"_<br /> - If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies:<br /> - Object Access:<br /> - Audit File System: _"Success"_<br /> - Audit Handle Manipulation: "Success"<br /> - Audit File Share: "Success"<br /> - Policy Change:<br /> - Audit Audit Policy Change: "Success"<br /> - The following legacy policies can be configured instead of advanced:<br /> - Audit object access policy must set to _"Success"_ and _"Failure"_.<br /> - Audit logon events policy must be set to _"Success"_.<br /> - Audit system events policy must be set to _"Success"_.<br /> - Audit policy change must be set to _"Success"_.<br /> - The Security event log maximum size must be set to 4GB.<br /> - The retention method of the Security event log must be set to _“Overwrite events as needed”_.<br /> - The Remote Registry service must be started.<br /> - The following inbound Firewall rules must be enabled:<br /> - Remote Event Log Management (NP-In)\*<br /> - Remote Event Log Management (RPC)\*<br /> - Remote Event Log Management (RPC-EPMAP)\*<br /> - Windows Management Instrumentation (ASync-In)<br /> - Windows Management Instrumentation (DCOM-In)<br /> - Windows Management Instrumentation (WMI-In)<br /> - Network Discovery (NB-Name-In)<br /> - File and Printer Sharing (NB-Name-In)<br /> - File and Printer Sharing (Echo Request - ICMPv4-In)<br /> - File and Printer Sharing (Echo Request - ICMPv6-In)<br /> - The rules marked with \* are required only if you do not want to use network traffic compression for auditing.<br /> - If you plan to audit Windows Server 2019 or Windows 10 Update 1803 without network compression service, make sure the following inbound connection rules are enabled:<br /> - Remote Scheduled Tasks Management (RPC)<br /> - Remote Scheduled Tasks Management (RPC-EMAP) |
0 commit comments